SZUT/casino

Archived

Fork 0

fix(deps): update dependencies (major and minor) #219

Merged

jank merged 2 commits from renovate/dependencies-(major-and-minor) into main

2025-06-04 08:04:02 +00:00

Renovate commented

2025-05-22 13:01:54 +00:00

Collaborator

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.jsonwebtoken:jjwt-jackson	`0.11.5` -> `0.12.6`
io.jsonwebtoken:jjwt-impl	`0.11.5` -> `0.12.6`
io.jsonwebtoken:jjwt-api	`0.11.5` -> `0.12.6`
org.springframework.boot:spring-boot-starter-oauth2-client (source)	`3.4.5` -> `3.5.0`
org.springframework.boot:spring-boot-starter-oauth2-resource-server (source)	`3.4.5` -> `3.5.0`
com.stripe:stripe-java	`29.1.0` -> `29.2.0`

Release Notes

jwtk/jjwt (io.jsonwebtoken:jjwt-jackson)

`v0.12.6`

Compare Source

This patch release:

Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is
used to construct a Jws instance (instead of JJWT's default decoder). See
Issue 947.
Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See Issue 949.
Upgrades BouncyCastle to 1.78 via PR 941.
Ensures that a JwkSet's keys list member is no longer considered secret and is not redacted by default. However, each individual JWK element within the keys list may still have redacted private or secret members as expected. See Issue 976.

`v0.12.5`

Compare Source

This patch release:

Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer
requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release,
the following code did not apply changes:
```
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'
```
Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).

However, standard fluent builder chains are still recommended for readability when feasible, e.g.
```
Jwts.builder()
    .audience().add("an-audience").and() // allows fluent chaining
    .subject("Joe")
    // etc...
    .compact()
```
See Issue 916.

`v0.12.4`

Compare Source

This patch release includes various changes listed below.

Jackson Default Parsing Behavior

This release makes two behavioral changes to JJWT's default Jackson ObjectMapper parsing settings:

In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default ObjectMapper is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.

For example, now the following JSON, if parsed, would fail (be rejected) by default:
```
{
  "hello": "world",
  "thisWillFail": 42,
  "thisWillFail": "test"
}
```
Technically, the JWT RFCs do allow duplicate named fields as long as the last parsed member is the one used
(see JWS RFC 7515, Section 4), so this is allowed.
However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these
unexpected scenarios by default. The RFC later supports this position/preference in
Section 10.12:
```
Ambiguous and potentially exploitable situations
could arise if the JSON parser used does not enforce the uniqueness
of member names or returns an unpredictable value for duplicate
member names.
```
Finally, this is just a default, and the RFC does indeed allow duplicate member names if the last value is used,
so applications that require duplicates to be allowed can simply configure their own ObjectMapper and use
that with JJWT instead of assuming this (new) JJWT default. See
Issue #877 for more.
If using JJWT's support to use Jackson to parse
Custom Claim Types (for example, a Claim that should be
unmarshalled into a POJO), and the JSON for that POJO contained a member that is not represented in the specified
class, Jackson would fail parsing by default. Because POJOs and JSON data models can sometimes be out of sync
due to different class versions, the default behavior has been changed to ignore these unknown JSON members instead
of failing (i.e. the ObjectMapper's DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES is now set to false)
by default.

Again, if you prefer the stricter behavior of rejecting JSON with extra or unknown properties, you can configure
true on your own ObjectMapper instance and use that instance with the Jwts.parser() builder.

Additional Changes

This release also:

Fixes a thread-safety issue when using java.util.ServiceLoader to dynamically lookup/instantiate pluggable
implementations of JJWT interfaces (e.g. JSON parsers, etc). See
Issue #873 and its documented fix in
PR #893.
Ensures Android environments and older org.json library usages can parse JSON from a JwtBuilder-provided
java.io.Reader instance. Issue 882.
Ensures a single string aud (Audience) claim is retained (without converting it to a Set) when copying/applying a
source Claims instance to a destination Claims builder. Issue 890.
Ensures P-256, P-384 and P-521 Elliptic Curve JWKs zero-pad their field element (x, y, and d) byte array values
if necessary before Base64Url-encoding per RFC 7518, Sections
6.2.1.2,
6.2.1.3, and
6.2.2.1, respectively.
Issue 901.
Ensures that Secret JWKs for HMAC-SHA algorithms with k sizes larger than the algorithm minimum can
be parsed/used as expected. See Issue #905
Ensures there is an upper bound (maximum) iterations enforced for PBES2 decryption to help mitigate potential DoS
attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their
work on this. See PR 911.
Fixes various typos in documentation and JavaDoc. Thanks to those contributing pull requests for these!

`v0.12.3`

Compare Source

This patch release:

Upgrades the org.json dependency to 20231013 to address that library's
CVE-2023-5072 vulnerability.
(Re-)enables empty values for custom claims, which was the behavior in <= 0.11.5.
Issue 858.

This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem
on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did not have its own
module-info.java file.

This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS
module (scope) problems on >= JDK 17. As such, --add-opens flags are no longer required to use JJWT.

The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert
expected functionality in a 'clean room' environment in a project both with and without module-info.java usage.

`v0.12.1`

Compare Source

Enabled reflective access on JDK 17+ to java.io.ByteArrayInputStream and sun.security.util.KeyUtil for
jjwt-impl.jar

`v0.12.0`

Compare Source

This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more! See the
sections below enumerating all new features as well as important notes on breaking changes or backwards-incompatible
changes made in preparation for the upcoming 1.0 release.

Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release
where you can address breaking changes one time only.

Those that need immediate JWE encryption and JWK key support
however will likely want to upgrade now and deal with the smaller subset of breaking changes in the 1.0 release.

Simplified Starter Jar

Those upgrading to new modular JJWT versions from old single-jar versions will transparently obtain everything
they need in their Maven, Gradle or Android projects.

JJWT's early releases had one and only one .jar: jjwt.jar. Later releases moved to a modular design with 'api' and
'impl' jars including 'plugin' jars for Jackson, GSON, org.json, etc. Some users upgrading from the earlier single
jar to JJWT's later versions have been frustrated by being forced to learn how to configure the more modular .jars.

This release re-introduces the jjwt.jar artifact again, but this time it is simply an empty .jar with Maven
metadata that will automatically transitively download the following into a project, retaining the old single-jar
behavior:

jjwt-api.jar
jjwt-impl.jar
jjwt-jackson.jar

Naturally, developers are still encouraged to configure the modular .jars as described in JJWT's documentation for
greater control and to enable their preferred JSON parser, but this stop-gap should help those unaware when upgrading.

JSON Web Encryption (JWE) Support!

This has been a long-awaited feature for JJWT, years in the making, and it is quite extensive - so many encryption
algorithms and key management algorithms are defined by the JWA specification, and new API concepts had to be
introduced for all of them, as well as extensive testing with RFC-defined test vectors. The wait is over!
All JWA-defined encryption algorithms and key management algorithms are fully implemented and supported and
available immediately. For example:

AeadAlgorithm enc = Jwts.ENC.A256GCM;
SecretKey key = enc.key().build();
String compact = Jwts.builder().setSubject("Joe").encryptWith(key, enc).compact();

Jwe<Claims> jwe = Jwts.parser().decryptWith(key).build().parseEncryptedClaims(compact);

Many other RSA and Elliptic Curve examples are in the full README documentation.

JSON Web Key (JWK) Support!

Representing cryptographic keys - SecretKeys, RSA Public and Private Keys, Elliptic Curve Public and
Private keys - as fully encoded JSON objects according to the JWK specification - is now fully implemented and
supported. The new Jwks utility class exists to create JWK builders and parsers as desired. For example:

SecretKey key = Jwts.SIG.HS256.key().build();
SecretJwk jwk = Jwks.builder().forKey(key).build();
assert key.equals(jwk.toKey());

// or if receiving a JWK string:
Jwk<?> parsedJwk = Jwks.parser().build().parse(jwkString);
assert jwk.equals(parsedJwk);
assert key.equals(parsedJwk.toKey());

Many JJWT users won't need to use JWKs explicitly, but some JWA Key Management Algorithms (and lots of RFC test
vectors) utilize JWKs when transmitting JWEs. As this was required by JWE, it is now implemented in full for
JWE use as well as general-purpose JWK support.

JWK Thumbprint and JWK Thumbprint URI support

The JWK Thumbprint and
JWK Thumbprint URI RFC specifications are now fully supported. Please
see the README.md file's corresponding named sections for both for full documentation and usage examples.

JWS Unencoded Payload Option (`b64`) support

The JSON Web Signature (JWS) Unencoded Payload Option RFC specification
is now fully supported. Please see the README.md corresponding named section for documentation and usage examples.

Better PKCS11 and Hardware Security Module (HSM) support

Previous versions of JJWT enforced that Private Keys implemented the RSAKey and ECKey interfaces to enforce key
length requirements. With this release, JJWT will still perform those checks when those data types are available,
but if not, as is common with keys from PKCS11 and HSM KeyStores, JJWT will still allow those Keys to be used,
expecting the underlying Security Provider to enforce any key requirements. This should reduce or eliminate any
custom code previously written to extend JJWT to use keys from those KeyStores or Providers.

Additionally, PKCS11/HSM tests using SoftHSMv2 are run on every build with
every JWS MAC and Signature algorithm and every JWE Key algorithm to ensure continued stable support with
Android and Sun PKCS11 implementations and spec-compliant Hardware Security Modules that use the PKCS11 interface
(such as YubiKey, etc.)

Custom Signature Algorithms

The io.jsonwebtoken.SignatureAlgorithm enum has been deprecated in favor of new
io.jsonwebtoken.security.SecureDigestAlgorithm, io.jsonwebtoken.security.MacAlgorithm, and
io.jsonwebtoken.security.SignatureAlgorithm interfaces to allow custom algorithm implementations. The new nested
Jwts.SIG static inner class is a registry of all standard JWS algorithms as expected, exactly like the
old enum. This change was made because enums are a static concept by design and cannot
support custom values: those who wanted to use custom signature algorithms could not do so until now. The new
interfaces now allow anyone to plug in and support custom algorithms with JJWT as desired.

KeyBuilder and KeyPairBuilder

Because the io.jsonwebtoken.security.Keys#secretKeyFor and io.jsonwebtoken.security.Keys#keyPairFor methods
accepted the now-deprecated io.jsonwebtoken.SignatureAlgorithm enum, they have also been deprecated in favor of
calling new key() or keyPair() builder methods on MacAlgorithm and SignatureAlgorithm instances directly.
For example:

SecretKey key = Jwts.SIG.HS256.key().build();
KeyPair pair = Jwts.SIG.RS256.keyPair().build();

The builders allow for customization of the JCA Provider and SecureRandom during Key or KeyPair generation if desired, whereas
the old enum-based static utility methods did not.

Preparation for 1.0

Now that the JWE and JWK specifications are implemented, only a few things remain for JJWT to be considered at
version 1.0. We have been waiting to apply the 1.0 release version number until the entire set of JWT specifications
are fully supported and we drop JDK 7 support (to allow users to use JDK 8 APIs). To that end, we have had to
deprecate some concepts, or in some cases, completely break backwards compatibility to ensure the transition to
1.0 (and JDK 8 APIs) are possible. Most backwards-incompatible changes are listed in the next section below.

Backwards Compatibility Breaking Changes, Warnings and Deprecations

io.jsonwebtoken.Jwt's getBody() method has been deprecated in favor of a new getPayload() method to
reflect correct JWT specification nomenclature/taxonomy.
io.jsonwebtoken.Jws's getSignature() method has been deprecated in favor of a new getDigest() method to
support expected congruent behavior with Jwe instances (both have digests).
io.jsonwebtoken.JwtParser's parseContentJwt, parseClaimsJwt, parseContentJws, and parseClaimsJws methods
have been deprecated in favor of more intuitive respective parseUnsecuredContent, parseUnsecuredClaims,
parseSignedContent and parseSignedClaims methods.
io.jsonwebtoken.CompressionCodec is now deprecated in favor of the new io.jsonwebtoken.io.CompressionAlgorithm
interface. This is to guarantee API congruence with all other JWT-identifiable algorithm IDs that can be set as a
header value.
io.jsonwebtoken.CompressionCodecResolver has been deprecated in favor of the new
JwtParserBuilder#addCompressionAlgorithms method.

Breaking Changes

io.jsonwebtoken.Claims and io.jsonwebtoken.Header instances are now immutable to enhance security and thread
safety. Creation and mutation are supported with newly introduced ClaimsBuilder and HeaderBuilder concepts.
Even though mutation methods have migrated, there are a couple that have been removed entirely:
- io.jsonwebtoken.JwsHeader#setAlgorithm has been removed - the JwtBuilder will always set the appropriate
  alg header automatically based on builder state.
- io.jsonwebtoken.Header#setCompressionAlgorithm has been removed - the JwtBuilder will always set the appropriate
  zip header automatically based on builder state.
io.jsonwebtoken.Jwts's header(Map), jwsHeader() and jwsHeader(Map) methods have been removed in favor
of the new header() method that returns a HeaderBuilder to support method chaining and dynamic Header type
creation. The HeaderBuilder will dynamically create a Header, JwsHeader or JweHeader automatically based on
builder state.
Similarly, io.jsonwebtoken.Jwts's claims() static method has been changed to return a ClaimsBuilder instead
of a Claims instance.
JWTs that do not contain JSON Claims now have a payload type of byte[] instead of String (that is,
Jwt<byte[]> instead of Jwt<String>). This is because JWTs, especially when used with the
cty (Content Type) header, are capable of handling any type of payload, not just Strings. The previous JJWT
releases didn't account for this, and now the API accurately reflects the JWT RFC specification payload
capabilities. Additionally, the name of plaintext has been changed to content in method names and JavaDoc to
reflect this taxonomy. This change has impacted the following JJWT APIs:
- The JwtBuilder's setPayload(String) method has been deprecated in favor of two new methods:
  - setContent(byte[]), and
  - setContent(byte[], String contentType)
  These new methods allow any kind of content
  within a JWT, not just Strings. The existing setPayload(String) method implementation has been changed to
  delegate to this new setContent(byte[]) method with the argument's UTF-8 bytes, for example
  setContent(payloadString.getBytes(StandardCharsets.UTF_8)).
- The JwtParser's Jwt<Header, String> parsePlaintextJwt(String plaintextJwt) and
  Jws<String> parsePlaintextJws(String plaintextJws) methods have been changed to
  Jwt<Header, byte[]> parseContentJwt(String plaintextJwt) and
  Jws<byte[]> parseContentJws(String plaintextJws) respectively.
- JwtHandler's onPlaintextJwt(String) and onPlaintextJws(String) methods have been changed to
  onContentJwt(byte[]) and onContentJws(byte[]) respectively.
- io.jsonwebtoken.JwtHandlerAdapter has been changed to reflect the above-mentioned name and String-to-byte[]
  argument changes, as well adding the abstract modifier. This class was never intended
  to be instantiated directly, and is provided for subclassing only. The missing modifier has been added to ensure
  the class is used as it had always been intended.
- io.jsonwebtoken.SigningKeyResolver's resolveSigningKey(JwsHeader, String) method has been changed to
  resolveSigningKey(JwsHeader, byte[]).
io.jsonwebtoken.JwtParser is now immutable. All mutation/modification methods (setters, etc) deprecated 4 years
ago have been removed. All parser configuration requires using the JwtParserBuilder.
Similarly, io.jsonwebtoken.Jwts's parser() method deprecated 4 years ago has been changed to now return a
JwtParserBuilder instead of a direct JwtParser instance. The previous Jwts.parserBuilder() method has been
removed as it is now redundant.
The JwtParserBuilder no longer supports PrivateKeys for signature verification. This was an old
legacy behavior scheduled for removal years ago, and that change is now complete. For various cryptographic/security
reasons, asymmetric public/private key signatures should always be created with PrivateKeys and verified with
PublicKeys.
io.jsonwebtoken.CompressionCodec implementations are no longer discoverable via java.util.ServiceLoader due to
runtime performance problems with the JDK's ServiceLoader implementation per
https://github.com/jwtk/jjwt/issues/648. Custom implementations should be made available to the JwtParser via
the new JwtParserBuilder#addCompressionAlgorithms method.
Prior to this release, if there was a serialization problem when serializing the JWT Header, an IllegalStateException
was thrown. If there was a problem when serializing the JWT claims, an IllegalArgumentException was
thrown. This has been changed up to ensure consistency: any serialization error with either headers or claims
will now throw a io.jsonwebtoken.io.SerializationException.
Parsing of unsecured JWTs (alg header of none) are now disabled by default as mandated by
RFC 7518, Section 3.6. If you require parsing of
unsecured JWTs, you must call the JwtParserBuilder#enableUnsecured() method, but note the security
implications mentioned in that method's JavaDoc before doing so.
io.jsonwebtoken.gson.io.GsonSerializer now requires Gson instances that have a registered
GsonSupplierSerializer type adapter, for example:
```
new GsonBuilder()
  .registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE)    
  .disableHtmlEscaping().create();
```
This is to ensure JWKs have toString() and application log safety (do not print secure material), but still
serialize to JSON correctly.
io.jsonwebtoken.InvalidClaimException and its two subclasses (IncorrectClaimException and MissingClaimException)
were previously mutable, allowing the corresponding claim name and claim value to be set on the exception after
creation. These should have always been immutable without those setters (just getters), and this was a previous
implementation oversight. This release has ensured they are immutable without the setters.

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-oauth2-client)

`v3.5.0`

Full release notes for Spring Boot 3.5 are available on the wiki.

⭐ New Features

Make heapdump endpoint restricted by default #45624
Remove SSL status tag from metrics #45602
Remove 'spring.http.client' deprecation and change 'spring.http.reactiveclient.settings' to 'spring.http.reactiveclient' #45507

🐞 Bug Fixes

Unable to override/set nested ConfigurationProperties by passing as a system property #45639
ValidationAutoConfiguration triggers early initialization of properties binding #45618
Micrometer "enable" annotations property does not cover observed aspect #45617
spring.graphql.sse.timeout is no longer exposed #45613
SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #45549
IllegalStateException when extracting using layers a module with no code of its own #45449
Removed spring.batch.initialize-schema property is still considered #45380
ReactorHttpClientBuilder does not offer a factory method to create the HttpClient #45378
Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #45351
Custom default units declared on a field are ignored when binding properties in a native image #45347
DockerRegistryConfigAuthentication uses the wrong serverUrl as a fallback for the Credentials helper #45345
Various spring.datasource properties are mistakenly marked as ignored #45342
JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #45297
DockerRegistryConfigAuthentication does not align with Docker CLI #45292
Unlike the Docker CLI, "\x00" characters are not trimmed from a decoded Docker Registry password #45290
CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method #32622

📔 Documentation

Document the java info contribution #45634
Document the process info contribution #45632
Document the os info contribution #45630
Document typical spring.application.group and name use #45628
Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #45626
Document the way that primary Kotlin constructors are used when binding #45553
Improve "profile" reference documentation with additional admonitions #45551
Improve setEnvironmentPrefix(...) reference documentation #45376
Document all the available Testcontainers integrations #45367
Document when a spring.config.import value is relative and when it is fixed #45363
Update org.cyclonedx.bom version in docs to 2.3.0 #45320
Update link to "Parameter Name Retention" section of Spring Framework's release notes #45299

🔨 Dependency Upgrades

Prevent upgrade to Prometheus Client 1.3.7 #45541
Upgrade to Couchbase Client 3.8.1 #45539
Upgrade to Elasticsearch 8.18.1 #45447
Upgrade to GraphQL Java 24.0 #45588
Upgrade to Hibernate 6.6.15.Final #45540
Upgrade to HttpClient5 5.4.4 #45462
Upgrade to Jackson Bom 2.18.4 #45463
Upgrade to Jackson Bom 2.19.0 #45542
Upgrade to Jetty 12.0.21 #45519
Upgrade to jOOQ 3.19.23 #45465
Upgrade to Kafka 3.9.1 #45606
Upgrade to Micrometer 1.15.0 #45432
Upgrade to Micrometer Tracing 1.5.0 #45433
Upgrade to Neo4j Java Driver 5.28.5 #45446
Upgrade to Netty 4.1.121.Final #45466
Upgrade to R2DBC Proxy 1.1.6.RELEASE #45467
Upgrade to Reactor Bom 2024.0.6 #45434
Upgrade to REST Assured 5.5.2 #45571
Upgrade to Spring Authorization Server 1.5.0 #45435
Upgrade to Spring Data Bom 2025.0.0 #45436
Upgrade to Spring Framework 6.2.7 #45437
Upgrade to Spring GraphQL 1.4.0 #45438
Upgrade to Spring HATEOAS 2.5.0 #45559
Upgrade to Spring Integration 6.5.0 #45439
Upgrade to Spring Kafka 3.3.6 #45440
Upgrade to Spring LDAP 3.3.0 #45441
Upgrade to Spring Pulsar 1.2.6 #45442
Upgrade to Spring Retry 2.0.12 #45443
Upgrade to Spring Security 6.5.0 #45444
Upgrade to Spring Session 3.5.0 #45560
Upgrade to Spring WS 4.1.0 #45445
Upgrade to Tomcat 10.1.41 #45520
Upgrade to XmlUnit2 2.10.1 #45607

❤️ Contributors

Thank you to all the contributors who worked on this release:

@ahrytsiuk, @izeye, @lhotari, @ngocnhan-tran1996, @nosan, @quaff, @thecooldrop, and @yybmion

`v3.4.6`

🐞 Bug Fixes

Micrometer "enable" annotations property does not cover observed aspect #45616
SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #45548
IllegalStateException when extracting using layers a module with no code of its own #45448
Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #45350
Custom default units declared on a field are ignored when binding properties in a native image #45346
JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #45296

📔 Documentation

Document the java info contribution #45633
Document the process info contribution #45631
Document the os info contribution #45629
Document typical spring.application.group and name use #45627
Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #45625
Document the way that primary Kotlin constructors are used when binding #45552
Improve "profile" reference documentation with additional admonitions #45550
Improve setEnvironmentPrefix(...) reference documentation #45375
Document all the available Testcontainers integrations #45366
Document when a spring.config.import value is relative and when it is fixed #45362
Update link to "Parameter Name Retention" section of Spring Framework's release notes #45298

🔨 Dependency Upgrades

Upgrade to Hibernate 6.6.15.Final #45537
Upgrade to HttpClient5 5.4.4 #45455
Upgrade to Jackson Bom 2.18.4 #45456
Upgrade to Jetty 12.0.21 #45516
Upgrade to jOOQ 3.19.23 #45458
Upgrade to Micrometer 1.14.7 #45412
Upgrade to Micrometer Tracing 1.4.6 #45413
Upgrade to Neo4j Java Driver 5.28.5 #45431
Upgrade to Netty 4.1.121.Final #45459
Upgrade to R2DBC Proxy 1.1.6.RELEASE #45460
Upgrade to Reactor Bom 2024.0.6 #45414
Upgrade to REST Assured 5.5.2 #45570
Upgrade to Spring Data Bom 2024.1.6 #45415
Upgrade to Spring Framework 6.2.7 #45417
Upgrade to Spring Integration 6.4.5 #45419
Upgrade to Spring Kafka 3.3.6 #45421
Upgrade to Spring Pulsar 1.2.6 #45423
Upgrade to Spring Retry 2.0.12 #45425
Upgrade to Spring Security 6.4.6 #45558
Upgrade to Spring WS 4.0.14 #45581
Upgrade to Tomcat 10.1.41 #45517
Upgrade to XmlUnit2 2.10.1 #45605

❤️ Contributors

Thank you to all the contributors who worked on this release:

@ahrytsiuk, @izeye, @ngocnhan-tran1996, @nosan, @quaff, @thecooldrop, and @yybmion

stripe/stripe-java (com.stripe:stripe-java)

`v29.2.0`

#2000 Update generated code. This release changes the pinned API version to 2025-05-28.basil.
- Add support for attach_payment method on resource Invoice
- Add support for collect_inputs method on resource terminal.Reader
- Add support for succeed_input_collection and timeout_input_collection test helper methods on resource terminal.Reader
- Add support for pixPayments on Account.capabilities, AccountCreateParams.capabilities, and AccountUpdateParams.capabilities
- Add support for disputesList and paymentDisputes on AccountSession.components and AccountSessionCreateParams.components
- Add support for refundAndDisputePrefunding on Balance
- Add support for balanceType on BalanceTransaction
- Change billing.AlertCreateParams.usage_threshold.meter to be required
- Add support for location and reader on Charge.payment_method_details.affirm and Charge.payment_method_details.wechat_pay
- Add support for paymentMethodRemove on checkout.SessionCreateParams.saved_payment_method_options
- Add support for setupFutureUsage on checkout.Session.payment_method_options.naver_pay
- Add support for postPaymentAmount and prePaymentAmount on CreditNote
- Add support for sex, unparsedPlaceOfBirth, and unparsedSex on identity.VerificationReport.document and identity.VerificationSession.verified_outputs
- Add support for billingThresholds on InvoiceCreatePreviewParams.schedule_details.phases[].items[], InvoiceCreatePreviewParams.schedule_details.phases[], InvoiceCreatePreviewParams.subscription_details.items[], SubscriptionCreateParams.items[], SubscriptionCreateParams, SubscriptionItemCreateParams, SubscriptionItemUpdateParams, SubscriptionItem, SubscriptionSchedule.default_settings, SubscriptionSchedule.phases[].items[], SubscriptionSchedule.phases[], SubscriptionScheduleCreateParams.default_settings, SubscriptionScheduleCreateParams.phases[].items[], SubscriptionScheduleCreateParams.phases[], SubscriptionScheduleUpdateParams.default_settings, SubscriptionScheduleUpdateParams.phases[].items[], SubscriptionScheduleUpdateParams.phases[], SubscriptionUpdateParams.items[], SubscriptionUpdateParams, and Subscription
- Add support for satispay on PaymentIntent.payment_method_options, PaymentIntentConfirmParams.payment_method_options, PaymentIntentCreateParams.payment_method_options, and PaymentIntentUpdateParams.payment_method_options
- Add support for captureMethod on PaymentIntent.payment_method_options.billie
- Add support for kakaoPay, krCard, naverPay, payco, and samsungPay on PaymentMethodConfigurationCreateParams, PaymentMethodConfigurationUpdateParams, and PaymentMethodConfiguration
- Add support for networkDeclineCode on Refund.destination_details.paypal
- Add support for metadata on tax.CalculationCreateParams.line_items[] and tax.CalculationLineItem
- Add support for new value simulated_stripe_s700 on enum terminal.ReaderListParams.deviceType
- Add support for returnUrl on terminal.Reader.action.process_payment_intent.process_config and terminal.ReaderProcessPaymentIntentParams.process_config
- Add support for collectInputs on terminal.Reader.action
- Add support for new value invoice_payment.paid on enums WebhookEndpointCreateParams.enabledEvents and WebhookEndpointUpdateParams.enabledEvents
- Add support for new value 2025-05-28.basil on enum WebhookEndpointCreateParams.apiVersion
- Add support for snapshot event invoice_payment.paid with resource InvoicePayment
#2002 Adds generated Customer retrievePaymentMethod overload
- Adds retrievePaymentMethod overload to Customer that accepts a payment method id and RequestOptions object
#1997 Adds CONTRIBUTING.md

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [io.jsonwebtoken:jjwt-jackson](https://github.com/jwtk/jjwt) | `0.11.5` -> `0.12.6` | [![age](https://developer.mend.io/api/mc/badges/age/maven/io.jsonwebtoken:jjwt-jackson/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/io.jsonwebtoken:jjwt-jackson/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/io.jsonwebtoken:jjwt-jackson/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/io.jsonwebtoken:jjwt-jackson/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [io.jsonwebtoken:jjwt-impl](https://github.com/jwtk/jjwt) | `0.11.5` -> `0.12.6` | [![age](https://developer.mend.io/api/mc/badges/age/maven/io.jsonwebtoken:jjwt-impl/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/io.jsonwebtoken:jjwt-impl/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/io.jsonwebtoken:jjwt-impl/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/io.jsonwebtoken:jjwt-impl/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [io.jsonwebtoken:jjwt-api](https://github.com/jwtk/jjwt) | `0.11.5` -> `0.12.6` | [![age](https://developer.mend.io/api/mc/badges/age/maven/io.jsonwebtoken:jjwt-api/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/io.jsonwebtoken:jjwt-api/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/io.jsonwebtoken:jjwt-api/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/io.jsonwebtoken:jjwt-api/0.11.5/0.12.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [org.springframework.boot:spring-boot-starter-oauth2-client](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | `3.4.5` -> `3.5.0` | [![age](https://developer.mend.io/api/mc/badges/age/maven/org.springframework.boot:spring-boot-starter-oauth2-client/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.springframework.boot:spring-boot-starter-oauth2-client/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.springframework.boot:spring-boot-starter-oauth2-client/3.4.5/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.springframework.boot:spring-boot-starter-oauth2-client/3.4.5/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [org.springframework.boot:spring-boot-starter-oauth2-resource-server](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | `3.4.5` -> `3.5.0` | [![age](https://developer.mend.io/api/mc/badges/age/maven/org.springframework.boot:spring-boot-starter-oauth2-resource-server/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.springframework.boot:spring-boot-starter-oauth2-resource-server/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.springframework.boot:spring-boot-starter-oauth2-resource-server/3.4.5/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.springframework.boot:spring-boot-starter-oauth2-resource-server/3.4.5/3.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [com.stripe:stripe-java](https://github.com/stripe/stripe-java) | `29.1.0` -> `29.2.0` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.stripe:stripe-java/29.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.stripe:stripe-java/29.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.stripe:stripe-java/29.1.0/29.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.stripe:stripe-java/29.1.0/29.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>jwtk/jjwt (io.jsonwebtoken:jjwt-jackson)</summary> ### [`v0.12.6`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0126) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.5...0.12.6) This patch release: - Ensures that after successful JWS signature verification, an application-configured Base64Url `Decoder` output is used to construct a `Jws` instance (instead of JJWT's default decoder). See [Issue 947](https://github.com/jwtk/jjwt/issues/947). - Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a `zip` header of `GZIP`. See [Issue 949](https://github.com/jwtk/jjwt/issues/949). - Upgrades BouncyCastle to 1.78 via [PR 941](https://github.com/jwtk/jjwt/pull/941). - Ensures that a `JwkSet`'s `keys` list member is no longer considered secret and is not redacted by default. However, each individual JWK element within the `keys` list may still have [redacted private or secret members](https://github.com/jwtk/jjwt?tab=readme-ov-file#jwk-tostring-safety) as expected. See [Issue 976](https://github.com/jwtk/jjwt/issues/976). ### [`v0.12.5`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0125) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.4...0.12.5) This patch release: - Ensures that builders' `NestedCollection` changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call `.and()` to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes: ```java JwtBuilder builder = Jwts.builder(); builder.audience().add("an-audience"); // no .and() call builder.compact(); // would not keep 'an-audience' ``` Now this code works as expected and all other `NestedCollection` instances like it apply changes immediately (e.g. when calling `.add(value)`). However, standard fluent builder chains are still recommended for readability when feasible, e.g. ```java Jwts.builder() .audience().add("an-audience").and() // allows fluent chaining .subject("Joe") // etc... .compact() ``` See [Issue 916](https://github.com/jwtk/jjwt/issues/916). ### [`v0.12.4`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0124) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.3...0.12.4) This patch release includes various changes listed below. ##### Jackson Default Parsing Behavior This release makes two behavioral changes to JJWT's default Jackson `ObjectMapper` parsing settings: 1. In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could have undesirable effects on an application, JJWT's default ` ObjectMapper `is now configured to explicitly reject/fail parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names. For example, now the following JSON, if parsed, would fail (be rejected) by default: ```json { "hello": "world", "thisWillFail": 42, "thisWillFail": "test" } ``` Technically, the JWT RFCs *do allow* duplicate named fields as long as the last parsed member is the one used (see [JWS RFC 7515, Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4)), so this is allowed. However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these unexpected scenarios by default. The RFC later supports this position/preference in [Section 10.12](https://datatracker.ietf.org/doc/html/rfc7515#section-10.12): Ambiguous and potentially exploitable situations could arise if the JSON parser used does not enforce the uniqueness of member names or returns an unpredictable value for duplicate member names. Finally, this is just a default, and the RFC does indeed allow duplicate member names if the last value is used, so applications that require duplicates to be allowed can simply configure their own `ObjectMapper` and use that with JJWT instead of assuming this (new) JJWT default. See [Issue #877](https://github.com/jwtk/jjwt/issues/877) for more. 2. If using JJWT's support to use Jackson to parse [Custom Claim Types](https://github.com/jwtk/jjwt#json-jackson-custom-types) (for example, a Claim that should be unmarshalled into a POJO), and the JSON for that POJO contained a member that is not represented in the specified class, Jackson would fail parsing by default. Because POJOs and JSON data models can sometimes be out of sync due to different class versions, the default behavior has been changed to ignore these unknown JSON members instead of failing (i.e. the `ObjectMapper`'s `DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES` is now set to `false`) by default. Again, if you prefer the stricter behavior of rejecting JSON with extra or unknown properties, you can configure `true` on your own `ObjectMapper` instance and use that instance with the `Jwts.parser()` builder. ##### Additional Changes This release also: - Fixes a thread-safety issue when using `java.util.ServiceLoader` to dynamically lookup/instantiate pluggable implementations of JJWT interfaces (e.g. JSON parsers, etc). See [Issue #873](https://github.com/jwtk/jjwt/issues/873) and its documented fix in [PR #893](https://github.com/jwtk/jjwt/pull/892). - Ensures Android environments and older `org.json` library usages can parse JSON from a `JwtBuilder`-provided `java.io.Reader` instance. [Issue 882](https://github.com/jwtk/jjwt/issues/882). - Ensures a single string `aud` (Audience) claim is retained (without converting it to a `Set`) when copying/applying a source Claims instance to a destination Claims builder. [Issue 890](https://github.com/jwtk/jjwt/issues/890). - Ensures P-256, P-384 and P-521 Elliptic Curve JWKs zero-pad their field element (`x`, `y`, and `d`) byte array values if necessary before Base64Url-encoding per [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518), Sections [6.2.1.2](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2), [6.2.1.3](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3), and [6.2.2.1](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.2.1), respectively. [Issue 901](https://github.com/jwtk/jjwt/issues/901). - Ensures that Secret JWKs for HMAC-SHA algorithms with `k` sizes larger than the algorithm minimum can be parsed/used as expected. See [Issue #905](https://github.com/jwtk/jjwt/issues/905) - Ensures there is an upper bound (maximum) iterations enforced for PBES2 decryption to help mitigate potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this. See [PR 911](https://github.com/jwtk/jjwt/pull/911). - Fixes various typos in documentation and JavaDoc. Thanks to those contributing pull requests for these! ### [`v0.12.3`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0123) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.2...0.12.3) This patch release: - Upgrades the `org.json` dependency to `20231013` to address that library's [CVE-2023-5072](https://nvd.nist.gov/vuln/detail/CVE-2023-5072) vulnerability. - (Re-)enables empty values for custom claims, which was the behavior in <= 0.11.5. [Issue 858](https://github.com/jwtk/jjwt/issues/858). ### [`v0.12.2`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0122) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.1...0.12.2) This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did *not* have its own `module-info.java` file. This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS module (scope) problems on >= JDK 17. As such, `--add-opens` flags are no longer required to use JJWT. The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert expected functionality in a 'clean room' environment in a project both with and without `module-info.java` usage. ### [`v0.12.1`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0121) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.0...0.12.1) Enabled reflective access on JDK 17+ to `java.io.ByteArrayInputStream` and `sun.security.util.KeyUtil` for `jjwt-impl.jar` ### [`v0.12.0`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0120) [Compare Source](https://github.com/jwtk/jjwt/compare/0.11.5...0.12.0) This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more! See the sections below enumerating all new features as well as important notes on breaking changes or backwards-incompatible changes made in preparation for the upcoming 1.0 release. **Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release where you can address breaking changes one time only**. Those that need immediate JWE encryption and JWK key support however will likely want to upgrade now and deal with the smaller subset of breaking changes in the 1.0 release. ##### Simplified Starter Jar Those upgrading to new modular JJWT versions from old single-jar versions will transparently obtain everything they need in their Maven, Gradle or Android projects. JJWT's early releases had one and only one .jar: `jjwt.jar`. Later releases moved to a modular design with 'api' and 'impl' jars including 'plugin' jars for Jackson, GSON, org.json, etc. Some users upgrading from the earlier single jar to JJWT's later versions have been frustrated by being forced to learn how to configure the more modular .jars. This release re-introduces the `jjwt.jar` artifact again, but this time it is simply an empty .jar with Maven metadata that will automatically transitively download the following into a project, retaining the old single-jar behavior: - `jjwt-api.jar` - `jjwt-impl.jar` - `jjwt-jackson.jar` Naturally, developers are still encouraged to configure the modular .jars as described in JJWT's documentation for greater control and to enable their preferred JSON parser, but this stop-gap should help those unaware when upgrading. ##### JSON Web Encryption (JWE) Support! This has been a long-awaited feature for JJWT, years in the making, and it is quite extensive - so many encryption algorithms and key management algorithms are defined by the JWA specification, and new API concepts had to be introduced for all of them, as well as extensive testing with RFC-defined test vectors. The wait is over!\ All JWA-defined encryption algorithms and key management algorithms are fully implemented and supported and available immediately. For example: ```java AeadAlgorithm enc = Jwts.ENC.A256GCM; SecretKey key = enc.key().build(); String compact = Jwts.builder().setSubject("Joe").encryptWith(key, enc).compact(); Jwe<Claims> jwe = Jwts.parser().decryptWith(key).build().parseEncryptedClaims(compact); ``` Many other RSA and Elliptic Curve examples are in the full README documentation. ##### JSON Web Key (JWK) Support! Representing cryptographic keys - SecretKeys, RSA Public and Private Keys, Elliptic Curve Public and Private keys - as fully encoded JSON objects according to the JWK specification - is now fully implemented and supported. The new `Jwks` utility class exists to create JWK builders and parsers as desired. For example: ```java SecretKey key = Jwts.SIG.HS256.key().build(); SecretJwk jwk = Jwks.builder().forKey(key).build(); assert key.equals(jwk.toKey()); // or if receiving a JWK string: Jwk<?> parsedJwk = Jwks.parser().build().parse(jwkString); assert jwk.equals(parsedJwk); assert key.equals(parsedJwk.toKey()); ``` Many JJWT users won't need to use JWKs explicitly, but some JWA Key Management Algorithms (and lots of RFC test vectors) utilize JWKs when transmitting JWEs. As this was required by JWE, it is now implemented in full for JWE use as well as general-purpose JWK support. ##### JWK Thumbprint and JWK Thumbprint URI support The [JWK Thumbprint](https://www.rfc-editor.org/rfc/rfc7638.html) and [JWK Thumbprint URI](https://www.rfc-editor.org/rfc/rfc9278.html) RFC specifications are now fully supported. Please see the README.md file's corresponding named sections for both for full documentation and usage examples. ##### JWS Unencoded Payload Option (`b64`) support The [JSON Web Signature (JWS) Unencoded Payload Option](https://www.rfc-editor.org/rfc/rfc7797.html) RFC specification is now fully supported. Please see the README.md corresponding named section for documentation and usage examples. ##### Better PKCS11 and Hardware Security Module (HSM) support Previous versions of JJWT enforced that Private Keys implemented the `RSAKey` and `ECKey` interfaces to enforce key length requirements. With this release, JJWT will still perform those checks when those data types are available, but if not, as is common with keys from PKCS11 and HSM KeyStores, JJWT will still allow those Keys to be used, expecting the underlying Security Provider to enforce any key requirements. This should reduce or eliminate any custom code previously written to extend JJWT to use keys from those KeyStores or Providers. Additionally, PKCS11/HSM tests using [SoftHSMv2](https://www.opendnssec.org/softhsm/) are run on every build with every JWS MAC and Signature algorithm and every JWE Key algorithm to ensure continued stable support with Android and Sun PKCS11 implementations and spec-compliant Hardware Security Modules that use the PKCS11 interface (such as YubiKey, etc.) ##### Custom Signature Algorithms The `io.jsonwebtoken.SignatureAlgorithm` enum has been deprecated in favor of new `io.jsonwebtoken.security.SecureDigestAlgorithm`, `io.jsonwebtoken.security.MacAlgorithm`, and `io.jsonwebtoken.security.SignatureAlgorithm` interfaces to allow custom algorithm implementations. The new nested `Jwts.SIG` static inner class is a registry of all standard JWS algorithms as expected, exactly like the old enum. This change was made because enums are a static concept by design and cannot support custom values: those who wanted to use custom signature algorithms could not do so until now. The new interfaces now allow anyone to plug in and support custom algorithms with JJWT as desired. ##### KeyBuilder and KeyPairBuilder Because the `io.jsonwebtoken.security.Keys#secretKeyFor` and `io.jsonwebtoken.security.Keys#keyPairFor` methods accepted the now-deprecated `io.jsonwebtoken.SignatureAlgorithm` enum, they have also been deprecated in favor of calling new `key()` or `keyPair()` builder methods on `MacAlgorithm` and `SignatureAlgorithm` instances directly.\ For example: ```java SecretKey key = Jwts.SIG.HS256.key().build(); KeyPair pair = Jwts.SIG.RS256.keyPair().build(); ``` The builders allow for customization of the JCA `Provider` and `SecureRandom` during Key or KeyPair generation if desired, whereas the old enum-based static utility methods did not. ##### Preparation for 1.0 Now that the JWE and JWK specifications are implemented, only a few things remain for JJWT to be considered at version 1.0. We have been waiting to apply the 1.0 release version number until the entire set of JWT specifications are fully supported **and** we drop JDK 7 support (to allow users to use JDK 8 APIs). To that end, we have had to deprecate some concepts, or in some cases, completely break backwards compatibility to ensure the transition to 1.0 (and JDK 8 APIs) are possible. Most backwards-incompatible changes are listed in the next section below. ##### Backwards Compatibility Breaking Changes, Warnings and Deprecations - `io.jsonwebtoken.Jwt`'s `getBody()` method has been deprecated in favor of a new `getPayload()` method to reflect correct JWT specification nomenclature/taxonomy. - `io.jsonwebtoken.Jws`'s `getSignature()` method has been deprecated in favor of a new `getDigest()` method to support expected congruent behavior with `Jwe` instances (both have digests). - `io.jsonwebtoken.JwtParser`'s `parseContentJwt`, `parseClaimsJwt`, `parseContentJws`, and `parseClaimsJws` methods have been deprecated in favor of more intuitive respective `parseUnsecuredContent`, `parseUnsecuredClaims`, `parseSignedContent` and `parseSignedClaims` methods. - `io.jsonwebtoken.CompressionCodec` is now deprecated in favor of the new `io.jsonwebtoken.io.CompressionAlgorithm` interface. This is to guarantee API congruence with all other JWT-identifiable algorithm IDs that can be set as a header value. - `io.jsonwebtoken.CompressionCodecResolver` has been deprecated in favor of the new `JwtParserBuilder#addCompressionAlgorithms` method. ##### Breaking Changes - **`io.jsonwebtoken.Claims` and `io.jsonwebtoken.Header` instances are now immutable** to enhance security and thread safety. Creation and mutation are supported with newly introduced `ClaimsBuilder` and `HeaderBuilder` concepts. Even though mutation methods have migrated, there are a couple that have been removed entirely: - `io.jsonwebtoken.JwsHeader#setAlgorithm` has been removed - the `JwtBuilder` will always set the appropriate `alg` header automatically based on builder state. - `io.jsonwebtoken.Header#setCompressionAlgorithm` has been removed - the `JwtBuilder` will always set the appropriate `zip` header automatically based on builder state. - `io.jsonwebtoken.Jwts`'s `header(Map)`, `jwsHeader()` and `jwsHeader(Map)` methods have been removed in favor of the new `header()` method that returns a `HeaderBuilder` to support method chaining and dynamic `Header` type creation. The `HeaderBuilder` will dynamically create a `Header`, `JwsHeader` or `JweHeader` automatically based on builder state. - Similarly, `io.jsonwebtoken.Jwts`'s `claims()` static method has been changed to return a `ClaimsBuilder` instead of a `Claims` instance. - **JWTs that do not contain JSON Claims now have a payload type of `byte[]` instead of `String`** (that is, `Jwt<byte[]>` instead of `Jwt<String>`). This is because JWTs, especially when used with the `cty` (Content Type) header, are capable of handling *any* type of payload, not just Strings. The previous JJWT releases didn't account for this, and now the API accurately reflects the JWT RFC specification payload capabilities. Additionally, the name of `plaintext` has been changed to `content` in method names and JavaDoc to reflect this taxonomy. This change has impacted the following JJWT APIs: - The `JwtBuilder`'s `setPayload(String)` method has been deprecated in favor of two new methods: - `setContent(byte[])`, and - `setContent(byte[], String contentType)` These new methods allow any kind of content within a JWT, not just Strings. The existing `setPayload(String)` method implementation has been changed to delegate to this new `setContent(byte[])` method with the argument's UTF-8 bytes, for example `setContent(payloadString.getBytes(StandardCharsets.UTF_8))`. - The `JwtParser`'s `Jwt<Header, String> parsePlaintextJwt(String plaintextJwt)` and `Jws<String> parsePlaintextJws(String plaintextJws)` methods have been changed to `Jwt<Header, byte[]> parseContentJwt(String plaintextJwt)` and `Jws<byte[]> parseContentJws(String plaintextJws)` respectively. - `JwtHandler`'s `onPlaintextJwt(String)` and `onPlaintextJws(String)` methods have been changed to `onContentJwt(byte[])` and `onContentJws(byte[])` respectively. - `io.jsonwebtoken.JwtHandlerAdapter` has been changed to reflect the above-mentioned name and `String`-to-`byte[]` argument changes, as well adding the `abstract` modifier. This class was never intended to be instantiated directly, and is provided for subclassing only. The missing modifier has been added to ensure the class is used as it had always been intended. - `io.jsonwebtoken.SigningKeyResolver`'s `resolveSigningKey(JwsHeader, String)` method has been changed to `resolveSigningKey(JwsHeader, byte[])`. - `io.jsonwebtoken.JwtParser` is now immutable. All mutation/modification methods (setters, etc) deprecated 4 years ago have been removed. All parser configuration requires using the `JwtParserBuilder`. - Similarly, `io.jsonwebtoken.Jwts`'s `parser()` method deprecated 4 years ago has been changed to now return a `JwtParserBuilder` instead of a direct `JwtParser` instance. The previous `Jwts.parserBuilder()` method has been removed as it is now redundant. - The `JwtParserBuilder` no longer supports `PrivateKey`s for signature verification. This was an old legacy behavior scheduled for removal years ago, and that change is now complete. For various cryptographic/security reasons, asymmetric public/private key signatures should always be created with `PrivateKey`s and verified with `PublicKey`s. - `io.jsonwebtoken.CompressionCodec` implementations are no longer discoverable via `java.util.ServiceLoader` due to runtime performance problems with the JDK's `ServiceLoader` implementation per https://github.com/jwtk/jjwt/issues/648. Custom implementations should be made available to the `JwtParser` via the new `JwtParserBuilder#addCompressionAlgorithms` method. - Prior to this release, if there was a serialization problem when serializing the JWT Header, an `IllegalStateException` was thrown. If there was a problem when serializing the JWT claims, an `IllegalArgumentException` was thrown. This has been changed up to ensure consistency: any serialization error with either headers or claims will now throw a `io.jsonwebtoken.io.SerializationException`. - Parsing of unsecured JWTs (`alg` header of `none`) are now disabled by default as mandated by [RFC 7518, Section 3.6](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.6). If you require parsing of unsecured JWTs, you must call the `JwtParserBuilder#enableUnsecured()` method, but note the security implications mentioned in that method's JavaDoc before doing so. - `io.jsonwebtoken.gson.io.GsonSerializer` now requires `Gson` instances that have a registered `GsonSupplierSerializer` type adapter, for example: ```java new GsonBuilder() .registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE) .disableHtmlEscaping().create(); ``` This is to ensure JWKs have `toString()` and application log safety (do not print secure material), but still serialize to JSON correctly. - `io.jsonwebtoken.InvalidClaimException` and its two subclasses (`IncorrectClaimException` and `MissingClaimException`) were previously mutable, allowing the corresponding claim name and claim value to be set on the exception after creation. These should have always been immutable without those setters (just getters), and this was a previous implementation oversight. This release has ensured they are immutable without the setters. </details> <details> <summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-oauth2-client)</summary> ### [`v3.5.0`](https://github.com/spring-projects/spring-boot/releases/tag/v3.5.0) Full [release notes for Spring Boot 3.5](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.5-Release-Notes) are available on the wiki. ##### :star: New Features - Make heapdump endpoint restricted by default [#45624](https://github.com/spring-projects/spring-boot/pull/45624) - Remove SSL status tag from metrics [#45602](https://github.com/spring-projects/spring-boot/issues/45602) - Remove 'spring.http.client' deprecation and change 'spring.http.reactiveclient.settings' to 'spring.http.reactiveclient' [#45507](https://github.com/spring-projects/spring-boot/issues/45507) ##### :lady_beetle: Bug Fixes - Unable to override/set nested ConfigurationProperties by passing as a system property [#45639](https://github.com/spring-projects/spring-boot/issues/45639) - ValidationAutoConfiguration triggers early initialization of properties binding [#45618](https://github.com/spring-projects/spring-boot/issues/45618) - Micrometer "enable" annotations property does not cover observed aspect [#45617](https://github.com/spring-projects/spring-boot/issues/45617) - spring.graphql.sse.timeout is no longer exposed [#45613](https://github.com/spring-projects/spring-boot/issues/45613) - SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE [#45549](https://github.com/spring-projects/spring-boot/issues/45549) - IllegalStateException when extracting using layers a module with no code of its own [#45449](https://github.com/spring-projects/spring-boot/issues/45449) - Removed spring.batch.initialize-schema property is still considered [#45380](https://github.com/spring-projects/spring-boot/pull/45380) - ReactorHttpClientBuilder does not offer a factory method to create the HttpClient [#45378](https://github.com/spring-projects/spring-boot/issues/45378) - Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate [#45351](https://github.com/spring-projects/spring-boot/issues/45351) - Custom default units declared on a field are ignored when binding properties in a native image [#45347](https://github.com/spring-projects/spring-boot/issues/45347) - DockerRegistryConfigAuthentication uses the wrong serverUrl as a fallback for the Credentials helper [#45345](https://github.com/spring-projects/spring-boot/pull/45345) - Various spring.datasource properties are mistakenly marked as ignored [#45342](https://github.com/spring-projects/spring-boot/issues/45342) - JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter [#45297](https://github.com/spring-projects/spring-boot/issues/45297) - DockerRegistryConfigAuthentication does not align with Docker CLI [#45292](https://github.com/spring-projects/spring-boot/pull/45292) - Unlike the Docker CLI, "\x00" characters are not trimmed from a decoded Docker Registry password [#45290](https://github.com/spring-projects/spring-boot/pull/45290) - CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method [#32622](https://github.com/spring-projects/spring-boot/issues/32622) ##### :notebook_with_decorative_cover: Documentation - Document the java info contribution [#45634](https://github.com/spring-projects/spring-boot/issues/45634) - Document the process info contribution [#45632](https://github.com/spring-projects/spring-boot/issues/45632) - Document the os info contribution [#45630](https://github.com/spring-projects/spring-boot/issues/45630) - Document typical spring.application.group and name use [#45628](https://github.com/spring-projects/spring-boot/issues/45628) - Document that bean methods should be static when annotated with `@ConfigurationPropertiesBinding` [#45626](https://github.com/spring-projects/spring-boot/issues/45626) - Document the way that primary Kotlin constructors are used when binding [#45553](https://github.com/spring-projects/spring-boot/issues/45553) - Improve "profile" reference documentation with additional admonitions [#45551](https://github.com/spring-projects/spring-boot/issues/45551) - Improve setEnvironmentPrefix(...) reference documentation [#45376](https://github.com/spring-projects/spring-boot/issues/45376) - Document all the available Testcontainers integrations [#45367](https://github.com/spring-projects/spring-boot/issues/45367) - Document when a spring.config.import value is relative and when it is fixed [#45363](https://github.com/spring-projects/spring-boot/issues/45363) - Update org.cyclonedx.bom version in docs to 2.3.0 [#45320](https://github.com/spring-projects/spring-boot/issues/45320) - Update link to "Parameter Name Retention" section of Spring Framework's release notes [#45299](https://github.com/spring-projects/spring-boot/issues/45299) ##### :hammer: Dependency Upgrades - Prevent upgrade to Prometheus Client 1.3.7 [#45541](https://github.com/spring-projects/spring-boot/issues/45541) - Upgrade to Couchbase Client 3.8.1 [#45539](https://github.com/spring-projects/spring-boot/issues/45539) - Upgrade to Elasticsearch 8.18.1 [#45447](https://github.com/spring-projects/spring-boot/issues/45447) - Upgrade to GraphQL Java 24.0 [#45588](https://github.com/spring-projects/spring-boot/issues/45588) - Upgrade to Hibernate 6.6.15.Final [#45540](https://github.com/spring-projects/spring-boot/issues/45540) - Upgrade to HttpClient5 5.4.4 [#45462](https://github.com/spring-projects/spring-boot/issues/45462) - Upgrade to Jackson Bom 2.18.4 [#45463](https://github.com/spring-projects/spring-boot/issues/45463) - Upgrade to Jackson Bom 2.19.0 [#45542](https://github.com/spring-projects/spring-boot/issues/45542) - Upgrade to Jetty 12.0.21 [#45519](https://github.com/spring-projects/spring-boot/issues/45519) - Upgrade to jOOQ 3.19.23 [#45465](https://github.com/spring-projects/spring-boot/issues/45465) - Upgrade to Kafka 3.9.1 [#45606](https://github.com/spring-projects/spring-boot/issues/45606) - Upgrade to Micrometer 1.15.0 [#45432](https://github.com/spring-projects/spring-boot/issues/45432) - Upgrade to Micrometer Tracing 1.5.0 [#45433](https://github.com/spring-projects/spring-boot/issues/45433) - Upgrade to Neo4j Java Driver 5.28.5 [#45446](https://github.com/spring-projects/spring-boot/issues/45446) - Upgrade to Netty 4.1.121.Final [#45466](https://github.com/spring-projects/spring-boot/issues/45466) - Upgrade to R2DBC Proxy 1.1.6.RELEASE [#45467](https://github.com/spring-projects/spring-boot/issues/45467) - Upgrade to Reactor Bom 2024.0.6 [#45434](https://github.com/spring-projects/spring-boot/issues/45434) - Upgrade to REST Assured 5.5.2 [#45571](https://github.com/spring-projects/spring-boot/issues/45571) - Upgrade to Spring Authorization Server 1.5.0 [#45435](https://github.com/spring-projects/spring-boot/issues/45435) - Upgrade to Spring Data Bom 2025.0.0 [#45436](https://github.com/spring-projects/spring-boot/issues/45436) - Upgrade to Spring Framework 6.2.7 [#45437](https://github.com/spring-projects/spring-boot/issues/45437) - Upgrade to Spring GraphQL 1.4.0 [#45438](https://github.com/spring-projects/spring-boot/issues/45438) - Upgrade to Spring HATEOAS 2.5.0 [#45559](https://github.com/spring-projects/spring-boot/issues/45559) - Upgrade to Spring Integration 6.5.0 [#45439](https://github.com/spring-projects/spring-boot/issues/45439) - Upgrade to Spring Kafka 3.3.6 [#45440](https://github.com/spring-projects/spring-boot/issues/45440) - Upgrade to Spring LDAP 3.3.0 [#45441](https://github.com/spring-projects/spring-boot/issues/45441) - Upgrade to Spring Pulsar 1.2.6 [#45442](https://github.com/spring-projects/spring-boot/issues/45442) - Upgrade to Spring Retry 2.0.12 [#45443](https://github.com/spring-projects/spring-boot/issues/45443) - Upgrade to Spring Security 6.5.0 [#45444](https://github.com/spring-projects/spring-boot/issues/45444) - Upgrade to Spring Session 3.5.0 [#45560](https://github.com/spring-projects/spring-boot/issues/45560) - Upgrade to Spring WS 4.1.0 [#45445](https://github.com/spring-projects/spring-boot/issues/45445) - Upgrade to Tomcat 10.1.41 [#45520](https://github.com/spring-projects/spring-boot/issues/45520) - Upgrade to XmlUnit2 2.10.1 [#45607](https://github.com/spring-projects/spring-boot/issues/45607) ##### :heart: Contributors Thank you to all the contributors who worked on this release: [@ahrytsiuk](https://github.com/ahrytsiuk), [@izeye](https://github.com/izeye), [@lhotari](https://github.com/lhotari), [@ngocnhan-tran1996](https://github.com/ngocnhan-tran1996), [@nosan](https://github.com/nosan), [@quaff](https://github.com/quaff), [@thecooldrop](https://github.com/thecooldrop), and [@yybmion](https://github.com/yybmion) ### [`v3.4.6`](https://github.com/spring-projects/spring-boot/releases/tag/v3.4.6) ##### :lady_beetle: Bug Fixes - Micrometer "enable" annotations property does not cover observed aspect [#45616](https://github.com/spring-projects/spring-boot/issues/45616) - SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE [#45548](https://github.com/spring-projects/spring-boot/issues/45548) - IllegalStateException when extracting using layers a module with no code of its own [#45448](https://github.com/spring-projects/spring-boot/issues/45448) - Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate [#45350](https://github.com/spring-projects/spring-boot/issues/45350) - Custom default units declared on a field are ignored when binding properties in a native image [#45346](https://github.com/spring-projects/spring-boot/issues/45346) - JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter [#45296](https://github.com/spring-projects/spring-boot/issues/45296) ##### :notebook_with_decorative_cover: Documentation - Document the java info contribution [#45633](https://github.com/spring-projects/spring-boot/issues/45633) - Document the process info contribution [#45631](https://github.com/spring-projects/spring-boot/issues/45631) - Document the os info contribution [#45629](https://github.com/spring-projects/spring-boot/issues/45629) - Document typical spring.application.group and name use [#45627](https://github.com/spring-projects/spring-boot/issues/45627) - Document that bean methods should be static when annotated with `@ConfigurationPropertiesBinding` [#45625](https://github.com/spring-projects/spring-boot/issues/45625) - Document the way that primary Kotlin constructors are used when binding [#45552](https://github.com/spring-projects/spring-boot/issues/45552) - Improve "profile" reference documentation with additional admonitions [#45550](https://github.com/spring-projects/spring-boot/issues/45550) - Improve setEnvironmentPrefix(...) reference documentation [#45375](https://github.com/spring-projects/spring-boot/issues/45375) - Document all the available Testcontainers integrations [#45366](https://github.com/spring-projects/spring-boot/issues/45366) - Document when a spring.config.import value is relative and when it is fixed [#45362](https://github.com/spring-projects/spring-boot/issues/45362) - Update link to "Parameter Name Retention" section of Spring Framework's release notes [#45298](https://github.com/spring-projects/spring-boot/issues/45298) ##### :hammer: Dependency Upgrades - Upgrade to Hibernate 6.6.15.Final [#45537](https://github.com/spring-projects/spring-boot/issues/45537) - Upgrade to HttpClient5 5.4.4 [#45455](https://github.com/spring-projects/spring-boot/issues/45455) - Upgrade to Jackson Bom 2.18.4 [#45456](https://github.com/spring-projects/spring-boot/issues/45456) - Upgrade to Jetty 12.0.21 [#45516](https://github.com/spring-projects/spring-boot/issues/45516) - Upgrade to jOOQ 3.19.23 [#45458](https://github.com/spring-projects/spring-boot/issues/45458) - Upgrade to Micrometer 1.14.7 [#45412](https://github.com/spring-projects/spring-boot/issues/45412) - Upgrade to Micrometer Tracing 1.4.6 [#45413](https://github.com/spring-projects/spring-boot/issues/45413) - Upgrade to Neo4j Java Driver 5.28.5 [#45431](https://github.com/spring-projects/spring-boot/issues/45431) - Upgrade to Netty 4.1.121.Final [#45459](https://github.com/spring-projects/spring-boot/issues/45459) - Upgrade to R2DBC Proxy 1.1.6.RELEASE [#45460](https://github.com/spring-projects/spring-boot/issues/45460) - Upgrade to Reactor Bom 2024.0.6 [#45414](https://github.com/spring-projects/spring-boot/issues/45414) - Upgrade to REST Assured 5.5.2 [#45570](https://github.com/spring-projects/spring-boot/issues/45570) - Upgrade to Spring Data Bom 2024.1.6 [#45415](https://github.com/spring-projects/spring-boot/issues/45415) - Upgrade to Spring Framework 6.2.7 [#45417](https://github.com/spring-projects/spring-boot/issues/45417) - Upgrade to Spring Integration 6.4.5 [#45419](https://github.com/spring-projects/spring-boot/issues/45419) - Upgrade to Spring Kafka 3.3.6 [#45421](https://github.com/spring-projects/spring-boot/issues/45421) - Upgrade to Spring Pulsar 1.2.6 [#45423](https://github.com/spring-projects/spring-boot/issues/45423) - Upgrade to Spring Retry 2.0.12 [#45425](https://github.com/spring-projects/spring-boot/issues/45425) - Upgrade to Spring Security 6.4.6 [#45558](https://github.com/spring-projects/spring-boot/issues/45558) - Upgrade to Spring WS 4.0.14 [#45581](https://github.com/spring-projects/spring-boot/issues/45581) - Upgrade to Tomcat 10.1.41 [#45517](https://github.com/spring-projects/spring-boot/issues/45517) - Upgrade to XmlUnit2 2.10.1 [#45605](https://github.com/spring-projects/spring-boot/issues/45605) ##### :heart: Contributors Thank you to all the contributors who worked on this release: [@ahrytsiuk](https://github.com/ahrytsiuk), [@izeye](https://github.com/izeye), [@ngocnhan-tran1996](https://github.com/ngocnhan-tran1996), [@nosan](https://github.com/nosan), [@quaff](https://github.com/quaff), [@thecooldrop](https://github.com/thecooldrop), and [@yybmion](https://github.com/yybmion) </details> <details> <summary>stripe/stripe-java (com.stripe:stripe-java)</summary> ### [`v29.2.0`](https://github.com/stripe/stripe-java/blob/HEAD/CHANGELOG.md#2920---2025-05-29) - [#2000](https://github.com/stripe/stripe-java/pull/2000) Update generated code. This release changes the pinned API version to `2025-05-28.basil`. - Add support for `attach_payment` method on resource `Invoice` - Add support for `collect_inputs` method on resource `terminal.Reader` - Add support for `succeed_input_collection` and `timeout_input_collection` test helper methods on resource `terminal.Reader` - Add support for `pixPayments` on `Account.capabilities`, `AccountCreateParams.capabilities`, and `AccountUpdateParams.capabilities` - Add support for `disputesList` and `paymentDisputes` on `AccountSession.components` and `AccountSessionCreateParams.components` - Add support for `refundAndDisputePrefunding` on `Balance` - Add support for `balanceType` on `BalanceTransaction` - Change `billing.AlertCreateParams.usage_threshold.meter` to be required - Add support for `location` and `reader` on `Charge.payment_method_details.affirm` and `Charge.payment_method_details.wechat_pay` - Add support for `paymentMethodRemove` on `checkout.SessionCreateParams.saved_payment_method_options` - Add support for `setupFutureUsage` on `checkout.Session.payment_method_options.naver_pay` - Add support for `postPaymentAmount` and `prePaymentAmount` on `CreditNote` - Add support for `sex`, `unparsedPlaceOfBirth`, and `unparsedSex` on `identity.VerificationReport.document` and `identity.VerificationSession.verified_outputs` - Add support for `billingThresholds` on `InvoiceCreatePreviewParams.schedule_details.phases[].items[]`, `InvoiceCreatePreviewParams.schedule_details.phases[]`, `InvoiceCreatePreviewParams.subscription_details.items[]`, `SubscriptionCreateParams.items[]`, `SubscriptionCreateParams`, `SubscriptionItemCreateParams`, `SubscriptionItemUpdateParams`, `SubscriptionItem`, `SubscriptionSchedule.default_settings`, `SubscriptionSchedule.phases[].items[]`, `SubscriptionSchedule.phases[]`, `SubscriptionScheduleCreateParams.default_settings`, `SubscriptionScheduleCreateParams.phases[].items[]`, `SubscriptionScheduleCreateParams.phases[]`, `SubscriptionScheduleUpdateParams.default_settings`, `SubscriptionScheduleUpdateParams.phases[].items[]`, `SubscriptionScheduleUpdateParams.phases[]`, `SubscriptionUpdateParams.items[]`, `SubscriptionUpdateParams`, and `Subscription` - Add support for `satispay` on `PaymentIntent.payment_method_options`, `PaymentIntentConfirmParams.payment_method_options`, `PaymentIntentCreateParams.payment_method_options`, and `PaymentIntentUpdateParams.payment_method_options` - Add support for `captureMethod` on `PaymentIntent.payment_method_options.billie` - Add support for `kakaoPay`, `krCard`, `naverPay`, `payco`, and `samsungPay` on `PaymentMethodConfigurationCreateParams`, `PaymentMethodConfigurationUpdateParams`, and `PaymentMethodConfiguration` - Add support for `networkDeclineCode` on `Refund.destination_details.paypal` - Add support for `metadata` on `tax.CalculationCreateParams.line_items[]` and `tax.CalculationLineItem` - Add support for new value `simulated_stripe_s700` on enum `terminal.ReaderListParams.deviceType` - Add support for `returnUrl` on `terminal.Reader.action.process_payment_intent.process_config` and `terminal.ReaderProcessPaymentIntentParams.process_config` - Add support for `collectInputs` on `terminal.Reader.action` - Add support for new value `invoice_payment.paid` on enums `WebhookEndpointCreateParams.enabledEvents` and `WebhookEndpointUpdateParams.enabledEvents` - Add support for new value `2025-05-28.basil` on enum `WebhookEndpointCreateParams.apiVersion` - Add support for snapshot event `invoice_payment.paid` with resource `InvoicePayment` - [#2002](https://github.com/stripe/stripe-java/pull/2002) Adds generated Customer retrievePaymentMethod overload - Adds `retrievePaymentMethod` overload to `Customer` that accepts a payment method id and `RequestOptions` object - [#1997](https://github.com/stripe/stripe-java/pull/1997) Adds CONTRIBUTING.md </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

Renovate force-pushed renovate/dependencies-(major-and-minor) from 11610c5bd2 to 617d6ec749

2025-05-22 18:01:44 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 617d6ec749 to 6a15513611

2025-05-22 23:01:35 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 6a15513611 to cc35dab12b

2025-05-26 12:01:50 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from cc35dab12b to 0d8291b554

2025-05-28 07:01:48 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 0d8291b554 to 10d5085390

2025-05-28 08:01:52 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 10d5085390 to 69dd7d60a3

2025-05-28 09:02:28 +00:00

Compare

Claude requested changes 2025-05-28 09:03:43 +00:00

Dismissed

Claude left a comment

Collaborator

The dependency updates look clean and well-organized, but there are concerns about the major version jump for JWT libraries (0.11.5 → 0.12.6) which likely includes breaking changes. Before merging: 1) Run the full test suite to ensure no authentication/JWT functionality is broken, 2) Manually test login/logout flows and JWT token validation, 3) Verify Spring Boot OAuth2 3.5.0 compatibility with the current Spring Boot version. The JWT version jump requires careful validation as it may introduce subtle runtime issues in authentication flows.

Claude requested changes 2025-05-28 09:10:40 +00:00

Dismissed

Claude left a comment

Collaborator

The dependency updates look structurally sound, but I have concerns about the major version jump for JJWT (0.11.5 → 0.12.6) which could introduce breaking changes. This version update likely includes API changes that should be verified. Additionally, the Spring Boot OAuth2 updates should be tested to ensure authentication flows remain functional. Please ensure all JWT-related functionality (token creation/validation) and OAuth2 authentication flows are thoroughly tested before merging. Consider reviewing the JJWT 0.12.x changelog for any breaking changes that might affect the current implementation.

Renovate force-pushed renovate/dependencies-(major-and-minor) from 2a79935bc5 to ba8c75cb6f

2025-05-28 11:02:12 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from ba8c75cb6f to ffc861de7c

2025-05-28 12:01:44 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from ffc861de7c to f720f90c72

2025-05-28 20:02:46 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from f720f90c72 to 6c6246cad5

2025-06-01 11:02:05 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 6c6246cad5 to 5367b9f80e

2025-06-01 12:01:58 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 5367b9f80e to a63ce08224

2025-06-02 13:02:12 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from a63ce08224 to 26c4daae5c

2025-06-03 06:08:52 +00:00

Compare

jank dismissed Claude's review 2025-06-03 06:15:28 +00:00

Reason:

no rights

Renovate force-pushed renovate/dependencies-(major-and-minor) from 26c4daae5c to 25c85eb5fb

2025-06-03 07:01:39 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 25c85eb5fb to 7facef9065

2025-06-03 08:01:53 +00:00

Compare

forgejo-actions added the

backend

label 2025-06-03 08:02:12 +00:00

Renovate force-pushed renovate/dependencies-(major-and-minor) from 7facef9065 to ddd24b63bf

2025-06-03 08:47:07 +00:00

Compare

forgejo-actions added the

size

small

label 2025-06-03 08:48:52 +00:00

ptran added the

labels 2025-06-03 09:07:09 +00:00

jank removed the

labels 2025-06-03 09:10:02 +00:00

Renovate force-pushed renovate/dependencies-(major-and-minor) from ddd24b63bf to b44479f721

2025-06-03 12:48:07 +00:00

Compare

forgejo-actions added the

backend

size

small

labels 2025-06-03 12:48:19 +00:00

Renovate force-pushed renovate/dependencies-(major-and-minor) from b44479f721 to 1cfe702561

2025-06-04 06:51:00 +00:00

Compare

Renovate force-pushed renovate/dependencies-(major-and-minor) from 1cfe702561 to 15e8cf02f7

2025-06-04 07:02:36 +00:00

Compare

jank added 1 commit 2025-06-04 08:01:03 +00:00

fix: Remove missing method

CI / Get Changed Files (pull_request) Successful in 11s

Details

CI / eslint (pull_request) Has been skipped

Details

Pull Request Labeler / labeler (pull_request_target) Successful in 10s

Details

CI / oxlint (pull_request) Has been skipped

Details

Label PRs based on size / Check PR size (pull_request) Successful in 14s

Details

CI / Docker frontend validation (pull_request) Has been skipped

Details

CI / prettier (pull_request) Has been skipped

Details

CI / test-build (pull_request) Has been skipped

Details

CI / Docker backend validation (pull_request) Successful in 1m31s

Details

CI / Checkstyle Main (pull_request) Successful in 1m45s

Details

CI / Backend Tests (pull_request) Successful in 2m9s

Details

Claude PR Review / claude-code (pull_request) Has been cancelled

Details

234442dccd

Renovate commented

2025-06-04 08:02:33 +00:00

Author

Collaborator

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

### Edited/Blocked Notification Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠️ **Warning**: custom changes will be lost.

jank approved these changes 2025-06-04 08:03:57 +00:00

jank merged commit c6ae4a1056 into main

2025-06-04 08:04:02 +00:00

jank deleted branch renovate/dependencies-(major-and-minor)

2025-06-04 08:04:02 +00:00

jank referenced this pull request from a commit

2025-06-04 08:04:04 +00:00

Merge pull request 'fix(deps): update dependencies (major and minor)' (!219) from renovate/dependencies-(major-and-minor) into main

Commenting is not possible because the repository is archived.

No reviewers

No milestone

No project

No assignees

3 participants

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SZUT/casino#219

No description provided.

Rows
Columns

fix(deps): update dependencies (major and minor) #219

Release Notes

Jackson Default Parsing Behavior

Additional Changes

Simplified Starter Jar

JSON Web Encryption (JWE) Support!

JSON Web Key (JWK) Support!

JWK Thumbprint and JWK Thumbprint URI support

JWS Unencoded Payload Option (b64) support

Better PKCS11 and Hardware Security Module (HSM) support

Custom Signature Algorithms

KeyBuilder and KeyPairBuilder

Preparation for 1.0

Backwards Compatibility Breaking Changes, Warnings and Deprecations

Breaking Changes

⭐ New Features

🐞 Bug Fixes

📔 Documentation

🔨 Dependency Upgrades

❤️ Contributors

🐞 Bug Fixes

📔 Documentation

🔨 Dependency Upgrades

❤️ Contributors

Configuration

Edited/Blocked Notification

JWS Unencoded Payload Option (`b64`) support